Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

deskbar.dll error on startup crashes explorer.exe


  • This topic is locked This topic is locked
4 replies to this topic

#1 logiczero

logiczero

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 05 February 2009 - 03:00 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:11 PM, on 2/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\supportdotcom\rang\ssrangsv.exe
C:\Program Files\supportdotcom\rang\ssrangui.exe
C:\Program Files\supportdotcom\rang\ssrangsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &HSN ShopBar - {57ECFB59-CD00-4b9d-961A-704E762AC529} - C:\Program Files\HSN\bar\1.bin\HSNBAR.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143500814\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [lxdjmon.exe] "C:\Program Files\Lexmark 1400 Series\lxdjmon.exe"
O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"
O4 - HKLM\..\Run: [LXDJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [Sr Agent] "C:\Program Files\Sr\SrLogon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [HSN Skin Tools Alerts] "C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe" Alerts
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [A00F28E7AE.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F28E7AE.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [zzjdayuw.exe] C:\WINDOWS\zzjdayuw.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [zzjdayuw.exe] C:\WINDOWS\zzjdayuw.exe (User 'Default user')
O4 - Startup: RegistryDefender.lnk = C:\Program Files\Registry Defender Platinum\RegistryDefender.exe
O4 - Global Startup: CCMonitor.lnk = C:\Program Files\AHA Core Collection\CCMonitor.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://E:\GAMES\msjavx86_3805.exe
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://E:\games\WebDriverFullInstall.exe
O20 - AppInit_DLLs: wcrtft.dll kqziaa.dll nfkzgu.dll tjtwtn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe
O23 - Service: OneStepSrch Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\OneStepSrch\onestep210.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Sr\compnts\Vr\PavSrv51.exe
O23 - Service: Secure Resolutions Managed Agent (SR Agent) - Unknown owner - C:\Program Files\Sr\AgentSvc.exe
O23 - Service: support.com Controller Service(supportdotcom) (ssrang_supportdotcom) - SupportSoft, Inc. - C:\Program Files\supportdotcom\rang\ssrangsv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9486 bytes






ComboFix 09-02-04.01 - Owner 2009-02-04 16:41:30.1 - FAT32x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.344 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\OD Tools\combofix.exe
AV: Resolution Anti-Virus *On-access scanning enabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\ShoppingReport
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
c:\documents and settings\Robert\Application Data\ShoppingReport
c:\documents and settings\Robert\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Robert\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\Robert\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\Robert\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\Robert\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\Robert\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\Robert\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
c:\program files\ShoppingReport
c:\program files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
c:\program files\ShoppingReport\Uninst.exe
c:\windows\cookies.ini
c:\windows\system32\__c00BD210.dat
c:\windows\system32\__c00C3979.exe
c:\windows\system32\__c00D05F5.dat
c:\windows\system32\__c00D5126.dat
c:\windows\system32\~.exe
c:\windows\system32\4.tmp
c:\windows\system32\6.tmp
c:\windows\system32\allfoggu.dll
c:\windows\system32\aulqmico.ini
c:\windows\system32\auythd.dll
c:\windows\system32\bdthbujf.dll
c:\windows\system32\brjpnsun.ini
c:\windows\system32\C.tmp
c:\windows\system32\cbvxvq.dll
c:\windows\system32\cgcoyhnd.ini
c:\windows\system32\cntvqkxn.ini
c:\windows\system32\config\systemprofile\Application Data\ShoppingReport
c:\windows\system32\config\systemprofile\Application Data\ShoppingReport\cs\Config.xml
c:\windows\system32\config\systemprofile\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\windows\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\windows\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\windows\system32\config\systemprofile\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
c:\windows\system32\cxbgkbtn.ini
c:\windows\system32\dftwvwwv.dll
c:\windows\system32\drivers\ati5ouxx.sys
c:\windows\system32\dxqplibg.ini
c:\windows\system32\eaxnbqec.dll
c:\windows\system32\esidvlfx.dll
c:\windows\system32\fbaxgakv.dll
c:\windows\system32\fjubhtdb.ini
c:\windows\system32\fkmjffdm.ini
c:\windows\system32\flnxmivm.ini
c:\windows\system32\fnrzgz.dll
c:\windows\system32\fplexoam.ini
c:\windows\system32\fsblcpmu.ini
c:\windows\system32\fxvdesbb.ini
c:\windows\system32\geBrsPih.dll
c:\windows\system32\gisahlkd.ini
c:\windows\system32\gwifslhw.ini
c:\windows\system32\hgGxWpQJ.dll
c:\windows\system32\hpeqqswl.ini
c:\windows\system32\hpkrycll.dll
c:\windows\system32\iskyppbd.ini
c:\windows\system32\ixkdrukp.dll
c:\windows\system32\jpjfjxey.ini
c:\windows\system32\jpnovhsp.dll
c:\windows\system32\JQpWxGgh.ini
c:\windows\system32\JQpWxGgh.ini2
c:\windows\system32\jymiyjjm.ini
c:\windows\system32\koeclnoi.ini
c:\windows\system32\kouohfnt.dll
c:\windows\system32\kpdscimg.ini
c:\windows\system32\kqziaa.dll
c:\windows\system32\llkrpnjj.ini
c:\windows\system32\lugturni.ini
c:\windows\system32\lwpinbnl.ini
c:\windows\system32\manmkmmy.ini
c:\windows\system32\maoxelpf.dll
c:\windows\system32\mbrcvkad.ini
c:\windows\system32\mchhbm.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mfwcxlvn.dll
c:\windows\system32\mktvecbk.dll
c:\windows\system32\moyxjqyu.ini
c:\windows\system32\msjbvpaa.ini
c:\windows\system32\mticcvho.ini
c:\windows\system32\mubcervt.ini
c:\windows\system32\neloligy.ini
c:\windows\system32\nfkzgu.dll
c:\windows\system32\nohlrjef.ini
c:\windows\system32\nvpjclrj.ini
c:\windows\system32\nxshplvr.dll
c:\windows\system32\nyjrbcjq.ini
c:\windows\system32\ocimqlua.dll
c:\windows\system32\ofnbjacq.dll
c:\windows\system32\pcrmubvb.ini
c:\windows\system32\ppvdrhyn.ini
c:\windows\system32\psmoud.dll
c:\windows\system32\qcajbnfo.ini
c:\windows\system32\qeyjyayo.ini
c:\windows\system32\qnxjdr.dll
c:\windows\system32\qoruwhrq.ini
c:\windows\system32\qsdbrjsx.ini
c:\windows\system32\rbgwplec.dll
c:\windows\system32\rgfpgcdp.ini
c:\windows\system32\rnijkykh.ini
c:\windows\system32\rsmjaqex.ini
c:\windows\system32\rybzcs.dll
c:\windows\system32\spowqoqy.dll
c:\windows\system32\tjtwtn.dll
c:\windows\system32\tnmjhwwl.ini
c:\windows\system32\tsmrcjlk.ini
c:\windows\system32\ttrltc.dll
c:\windows\system32\uammrnsr.ini
c:\windows\system32\uggoflla.ini
c:\windows\system32\uttezs.dll
c:\windows\system32\uxmxbklv.ini
c:\windows\system32\vjmbsldy.dll
c:\windows\system32\vmpsball.ini
c:\windows\system32\vmqghxdx.ini
c:\windows\system32\vsrqfs.dll
c:\windows\system32\vvxvysme.ini
c:\windows\system32\vydsgr.dll
c:\windows\system32\wcrtft.dll
c:\windows\system32\whlsfiwg.dll
c:\windows\system32\wqheorlt.ini
c:\windows\system32\wuthcvoe.ini
c:\windows\system32\xedrcxlp.ini
c:\windows\system32\xewjkflk.ini
c:\windows\system32\xflvdise.ini
c:\windows\system32\xiatklbi.ini
c:\windows\system32\xsoacpxe.ini
c:\windows\system32\xxhiquqh.ini
c:\windows\system32\yfjrsfui.ini
c:\windows\system32\ylqakaxq.ini
c:\windows\system32\ymmkmnam.dll
c:\windows\system32\ynnngbdj.ini
c:\windows\system32\yqoqwops.ini
c:\windows\system32\yqwsmgsh.ini
c:\windows\Temp\log.txt
C:\xcrashdump.dat
D:\Autorun.inf

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 16:50 . 2009-02-04 16:50 <DIR> d-------- c:\windows\LastGood
2009-02-04 16:48 . 2005-06-30 16:58 7,296 --a------ c:\windows\system32\drivers\osaio.sys
2009-02-04 16:26 . 2009-02-04 16:26 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-04 16:22 . 2009-02-04 16:22 <DIR> d-------- c:\program files\Trend Micro
2009-02-04 16:18 . 2009-02-04 16:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\SupportSoft
2009-02-04 16:17 . 2009-02-04 16:17 <DIR> d--hs---- C:\FOUND.016
2009-02-04 16:11 . 2009-02-04 16:11 <DIR> d-------- c:\program files\supportdotcom
2009-02-04 16:11 . 2009-02-04 16:11 <DIR> d-------- c:\program files\Common Files\supportsoft
2009-02-04 15:53 . 2009-02-04 15:53 3,990 --a------ c:\windows\system32\iofrfxsb.dll
2009-02-04 14:21 . 2009-02-04 14:21 44 --a------ c:\windows\system32\7.tmp
2009-02-04 14:10 . 2009-02-04 14:10 88 --a------ c:\windows\system32\5.tmp
2009-02-04 14:06 . 2009-02-04 14:06 3,584 --a------ c:\windows\zzjdayuw.exe
2009-02-04 14:06 . 2009-02-04 14:06 88 --a------ c:\windows\system32\3.tmp
2009-02-04 13:37 . 2009-02-04 13:37 33,920 --a------ c:\windows\system32\drivers\axequlee.sys
2009-02-04 13:26 . 2009-02-04 13:26 66,560 ---h----- c:\windows\system32\secupdat.dat
2009-02-04 13:26 . 2009-02-04 14:21 53,248 --a------ c:\windows\system32\drivers\ndisio.sys
2009-02-04 13:26 . 2009-02-04 13:26 88 --a------ c:\windows\system32\B.tmp
2009-02-04 13:24 . 2009-02-04 13:24 <DIR> d--hs---- C:\FOUND.015
2009-02-04 13:06 . 2009-02-04 13:07 0 --a------ c:\windows\system32\252.tmp
2009-02-04 13:05 . 2009-02-04 13:05 2 --a------ C:\359142397
2009-01-19 21:43 . 2009-01-19 21:43 18,560 --a------ c:\windows\system32\ssrangdr.dll
2009-01-19 21:43 . 2009-01-19 21:43 2,560 --a------ c:\windows\system32\drivers\ssrangdr.sys
2009-01-16 09:11 . 2009-01-16 09:11 <DIR> d--hs---- C:\FOUND.014
2009-01-15 13:37 . 2009-01-15 13:37 40,960 --a------ c:\windows\system32\uxnaabvn.dll
2009-01-15 13:11 . 2009-01-15 13:11 <DIR> d--hs---- C:\FOUND.013
2009-01-09 08:30 . 2009-01-09 08:30 <DIR> d--hs---- C:\FOUND.012
2009-01-09 07:42 . 2009-01-09 07:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\OneStepSrch
2009-01-06 08:39 . 2009-01-06 08:39 <DIR> d-------- c:\program files\OneStepSrch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 17:23 103,424 ----a-w c:\windows\system32\tflhtjfd.dll
2008-12-17 17:23 103,424 ----a-w c:\windows\system32\rymhdf.dll
2008-12-09 21:23 72,192 ----a-w c:\windows\system32\ygilolen.dll
2008-12-09 21:20 107,520 ----a-w c:\windows\system32\jqbjue.dll
2008-12-09 21:20 107,520 ----a-w c:\windows\system32\erfoumfi.dll
2008-12-05 18:37 106,496 ----a-w c:\windows\system32\sjxxey.dll
2008-12-05 18:37 106,496 ----a-w c:\windows\system32\ruqhjjfi.dll
2008-12-05 18:34 71,680 ----a-w c:\windows\system32\dbppyksi.dll
2008-11-26 20:15 103,424 ----a-w c:\windows\system32\jmulkmlo.dll
2008-11-26 20:15 103,424 ----a-w c:\windows\system32\btmsrw.dll
2008-11-26 20:12 71,168 ----a-w c:\windows\system32\mvimxnlf.dll
2008-11-25 20:26 72,192 ----a-w c:\windows\system32\expcaosx.dll
2008-11-25 20:20 103,936 ----a-w c:\windows\system32\ntdkjvxr.dll
2008-11-25 20:20 103,936 ----a-w c:\windows\system32\axejzk.dll
2008-11-18 21:55 104,448 ----a-w c:\windows\system32\mezrip.dll
2008-11-18 21:55 104,448 ----a-w c:\windows\system32\dscnwkrw.dll
2008-11-18 16:46 104,448 ----a-w c:\windows\system32\sjzuaw.dll
2008-11-18 16:46 104,448 ----a-w c:\windows\system32\bxbrudrv.dll
2008-11-14 17:56 104,448 ----a-w c:\windows\system32\fpavymyq.dll
2008-11-14 17:56 104,448 ----a-w c:\windows\system32\cmyetz.dll
2008-11-11 17:01 104,448 ----a-w c:\windows\system32\qadbkt.dll
2008-11-11 17:01 104,448 ----a-w c:\windows\system32\mcxkoptu.dll
2008-11-08 19:18 103,424 ----a-w c:\windows\system32\xjgmwtck.dll
2008-11-08 19:18 103,424 ----a-w c:\windows\system32\eczebi.dll
2008-11-06 19:34 69,120 ----a-w c:\windows\system32\gmicsdpk.dll
2008-11-06 19:32 103,936 ----a-w c:\windows\system32\nygflsgj.dll
2008-11-06 19:32 103,936 ----a-w c:\windows\system32\hohnih.dll
2008-10-21 20:42 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-10-21 20:42 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-21 20:42 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-10-21 20:42 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-10-21 20:42 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2007-06-13 03:23 1050624 71b3827924ca5f08129fa8bb63eb7aaa c:\windows\explorer.exe
2007-06-13 03:23 1050624 7adcf642e62c66dac5749e47980f3369 c:\windows\system32\dllcache\explorer.exe
2007-06-13 04:26 1050624 42e593a9fec816cadcc6deafe5dba1bf c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 05:00 1049600 ee5d3a67942d3e4171a339c29c02b651 c:\windows\$NtUninstallKB938828$\explorer.exe

2004-08-04 05:00 32768 1b2e71b9b105bdbfe894b928497879ae c:\windows\system32\ctfmon.exe
2004-08-04 05:00 32768 b05c32582a625144b6201daebd14288d c:\windows\system32\dllcache\ctfmon.exe

2005-06-10 15:53 75264 74f4123307585d3ac19a21cee3523832 c:\windows\system32\spoolsv.exe
2005-06-10 15:53 75264 4b4f85a3eba1d5372ea66f7edce741fc c:\windows\system32\dllcache\spoolsv.exe
2005-06-10 16:17 75264 06ff5eb53ac41b5ad470e733b4ef08ce c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 05:00 75264 51800281d8ddb45596167f4c62bdaa20 c:\windows\$NtUninstallKB896423$\spoolsv.exe

2004-08-04 05:00 41984 80e3ebb15a65efdd59b7c9a6567c64f9 c:\windows\system32\userinit.exe
2004-08-04 05:00 41984 3bb8c1b505fbbe11f84d00a955c7b1d6 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1711616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32768]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"AOL Fast Start"="c:\progra~1\AMERIC~1.0A\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 53248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 229432]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 84408]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 472576]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 472576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 135168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 122970]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 729178]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 53248]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 53248]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 114688]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-11-08 90112]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 40960]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 262144]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-11-08 102400]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 233472]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3103744]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 417792]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2479616]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]
"HostManager"="c:\program files\Common Files\AOL\1143500814\EE\AOLHostManager.exe" [2004-11-03 125528]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-03-27 43520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-06-04 307200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-28 118784]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2002-05-07 40960]
"LXBSCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 65536]
"MemoryCardManager"="c:\program files\Lexmark\Lexmark Precision Photo\MemCard.exe" [2004-02-02 159744]
"lxdjamon"="c:\program files\Lexmark 1400 Series\lxdjamon.exe" [2007-03-05 40960]
"LXDJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll" [2007-02-09 102400]
"AIMWDInstallFilename"="c:\progra~1\AIM\AIMWDI~1.EXE" [2004-01-12 119808]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]
"Sr Agent"="c:\program files\Sr\SrLogon.exe" [2005-07-16 278528]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"zzjdayuw.exe"="c:\windows\zzjdayuw.exe" [2009-02-04 3584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 47104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1143500814\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\System32\\lxdjcoms.exe"=
"c:\\Program Files\\Lexmark 1400 Series\\lxdjamon.exe"=
"c:\\Program Files\\Lexmark 1400 Series\\App4R.exe"=
"c:\\WorldPoint ONE Instructor Tools\\WorldPoint ONE Instructor Tools.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\System32\\muzapp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Sr\\SrCmd.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDJwbgw.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdjPSWX.EXE"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdjjswx.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDJtime.exe"=

R1 Hotkey;Hotkey;c:\windows\system32\drivers\HOTKEY.sys [2006-03-28 9867]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2006-03-28 12106]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2004-07-19 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2005-04-07 78208]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2009-02-04 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-03-28 4010]
R2 SR Agent;Secure Resolutions Managed Agent;c:\program files\Sr\AgentSvc.exe [2008-08-31 33048]
R2 ssrang_supportdotcom;support.com Controller Service(supportdotcom);c:\program files\supportdotcom\rang\ssrangsv.exe [2009-01-23 976200]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-03-18 45132]
R3 ssrangdr;ssrangdr;c:\windows\system32\drivers\ssrangdr.sys [2009-01-19 2560]
S1 mailKmd;mailKmd; [x]
S1 Wbutton;Wbutton;c:\windows\system32\drivers\Wbutton.sys --> c:\windows\system32\drivers\Wbutton.sys [?]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2006-08-05 20608]
S3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2006-03-28 4392]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [2006-03-28 2343]
S4 OneStepSrch Service;OneStepSrch Service;c:\documents and settings\All Users\Application Data\OneStepSrch\onestep210.exe [2009-01-09 22016]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b41c923e-89c8-11dd-a89b-00038a000015}]
\Shell\AutoRun\command - F:\StarterOfficeGuardian.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{69569f64-e2f8-4a34-ac8d-820ff205d6da} - c:\windows\system32\tjtwtn.dll
BHO-{A435E39F-22D3-4BCE-ACFE-6FD8238266A3} - c:\windows\system32\hgGxWpQJ.dll
HKLM-Run-lxdjmon.exe - c:\program files\Lexmark 1400 Series\lxdjmon.exe
Notify-__c00D5126 - c:\windows\system32\__c00D5126.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=toolbar
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 16:52:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBSCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
LXDJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\AOL\ACS\AOLACSD.EXE
c:\program files\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
c:\acer\EMPOWERING TECHNOLOGY\ADMSERV.EXE
c:\program files\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
c:\windows\SYSTEM32\LXDJCOMS.EXE
c:\program files\SR\AGENTFRM.EXE
c:\program files\SR\COMPNTS\VR\PAVSRV51.EXE
c:\program files\SR\COMPNTS\VR\AVENGINE.EXE
c:\program files\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
c:\program files\supportdotcom\rang\ssrangui.exe
.
**************************************************************************
.
Completion time: 2009-02-04 16:55:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 00:54:58

Pre-Run: 1,491,664,896 bytes free
Post-Run: 1,205,895,168 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

398 --- E O F --- 2008-05-20 22:16:07

BC AdBot (Login to Remove)

 


#2 logiczero

logiczero
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 05 February 2009 - 10:58 PM

bump bump bump

#3 logiczero

logiczero
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 08 February 2009 - 09:46 PM

bump?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 17 February 2009 - 12:30 PM

Hello logiczero,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 01 March 2009 - 05:45 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users